Analysis: Detailed China hacking report leaves little room for doubt

“Since 2004, Mandiant has investigated computer security breaches at hundreds of organizations around the world. [..] We first published details about the APT in our January 2010 M-Trends report. As we stated in the report, our position was that ‘The Chinese government may authorize this activity, but there’s no way to determine the extent of its involvement.’ Now, three years later, we have the evidence required to change our assessment. The details we have analyzed during hundreds of investigations convince us that the groups conducting these activities are based primarily in China and that the Chinese Government is aware of them.”

These are the first words of “APT1 – Exposing One Of China’s Cyber Espionage Unit,” a report published last Monday by Mandiant, a cyber-security company, accusing the Chinese government of supporting hacking operations against 141 targets around the world.

Mandiant is a world leader in information security, providing services to companies that wish to protect their computers or investigate previous attacks to find out who is responsible. The American company – which began operating in 2004 – enlists various experts with a background in the US military and intelligence forces. The founder, Kevin Mandia, previously served as a computer security officer in the 7th Communications Group at the Pentagon, and as a special agent in the Air Force Office of Special Investigations (AFOSI). Travis Reese, President and Chief Operating Officer, used to work as a special agent with the United States Air Force Office of Special Investigations. Richard Bejtlich, the company’s Chief Security Officer, used to be a military intelligence officer at the Air Force Computer Emergency Response Team (AFCERT), Air Force Information Warfare Center (AFIWC) and Air Intelligence Agency (AIA).

Mandia’s team has tracked “Advanced Persistent Threats” (APT) since 2006 and has subsequently issued a report focusing on “the most prolific” ones (named ATP1), finding that they mostly originated from China. The company has followed them all the way back to four large networks in Shanghai, two of which are allocated directly in the Pudong area where PLA Unit 61398 is located, a special body of the Chinese armed forces specialized in cyber-espionage. Despite the lack of straightforward proof of the involvement of the Chinese military, the report obviously links the attacks and the PLA.

Their work is rich in detail. It includes the Unit position inside the People Liberation Army, the way in which it operates, the characteristics sought in recruiting its staff and the code names of some of the hackers who have entered information systems worldwide as part of APT1. They left some space even for aesthetics, publishing a picture of the white, multi-storey building where part of the Unit operates.

The building housing Unit 61398 of the Peoples Liberation Army is seen in the outskirts of Shanghai. Pic: AP.

Of the 141 industries targeted by APT1, 87 per cent are headquartered in countries where English is the native language. The investigation points out that “in over 97% of the 1,905 times Mandiant observed APT1 intruders connecting to their attack infrastructure, APT1 used IP addresses registered in Shanghai and systems set to use the Simplified Chinese language.” Besides, “817 of the 832 (98%) IP addresses logging into APT1 controlled systems using Remote Desktop resolved back to China.”

As mentioned, there is no ultimate proof of a linkage between ATP1 and Unit 61398. But Mandiant argues that “given the volume, duration and type of attack activity we have observed, APT1 operators would need to be directly supported by linguists, open source researchers, malware authors, industry experts who translate task requests from requestors to the operators, and people who then transmit stolen information to the requestors.” It stresses that “APT1 would also need a sizable IT staff dedicated to acquiring and maintaining computer equipment, people who handle finances, facility management, and logistics (e.g., shipping).”

Considering such a scale of operations – on top of the mentioned data, Mandiant estimates that the infrastructure needed to support the attacks would “conservatively” include 1,000 servers – and the fact that the source is located right where a unit of the PLA specialized in cyber-security operates, the authors conclude that “the totality of the evidence [..] bolsters the claim that APT1 is Unit 61398.”

Otherwise, it could be that “a secret, resourced organization full of mainland Chinese speakers with direct access to Shanghai-based telecommunications infrastructure is engaged in a multi-year, enterprise scale computer espionage campaign right outside of Unit 61398’s gates, performing tasks similar to Unit 61398’s known mission.”

The authors also point out that the stolen information could be “used to obvious advantage by the PRC and Chinese state-owned enterprises,” not least because “the industries APT1 targets match industries that China has identified as strategic to their growth, including four of the seven strategic emerging industries that China identified in its 12th Five Year Plan.” Their conclusion is that “APT1 is likely government-sponsored and one of the most persistent of China’s cyber threat actors. [..] APT1 is able to wage such a long-running and extensive cyber espionage campaign in large part because it receives direct government support.”

The report comes after a scandal at the New York Times, which in January this year claimed its computers had been hacked for four months following an article on the relatives of former Chinese Prime Minister Wen Jiabao (October 2012). Mandiant was hired by the paper to smoke out the intruders, whom they found were based in China. On that occasion, China’s Foreign Ministry Spokesman Hong Lei declared that “to presume the source of a hacking attack based on speculation is irresponsible and unprofessional.”

Reuters reported that on Wednesday the Chinese Defense Ministry published a statement in which it claimed that Mandiant’s methods are not safe because they rely on the tracking of IP addresses, which – says the Ministry – are easy to usurp.

On the same day, the Global Times, a Chinese State-controlled newspaper, published a long article reporting the words of Geng Yansheng, a spokesman for the Ministry of National Defense. He assured that “the Chinese military has never backed any hacking actions.”

According to Mr. Geng, statistics show that both the Chinese military and other users are subject to attacks from abroad – mostly from the US – and added that the Chinese side “do not point fingers at the US based on the aforementioned findings, and every country should deal with cyber security in a professional and responsible manner.”

Again on Wednesday, without naming China, the White House unveiled a plan to combat security threats. According to Reuters, US authorities are thinking of strengthening international effort and revise relevant laws by “increasing criminal prosecutions and launching a 120-day review to see whether new U.S. legislation is needed.” Washington is also thinking about “promoting a set of ‘best practices’ that companies can use to protect themselves against cyber attacks and other espionage.”